Topics
- Cisco ASA Virtualization Overview
- Virtual Firewall Deployment guidelines:the information you need before you deploy Virtual firewalls
- Configuration Tasks Overview
- Configuring Security Contexts
- Verifying Security contexts
- Managing Secuirty Contexts
- Configuring Resource Management
- Verify Resource Management
- Troubleshooting Security Contexts
Perhaps you is an Internet service provider and would like to set up multiple firewalls for different customers Your services. Or Perhaps you is a network engineer for a large enterprise this wants multiple firewalls for different areas of the Ente Rprise Network. Virtual firewalls is created in the Cisco ASA using a technology called Security contexts.
Part 1:cisco ASA Virtualization Overview
Cisco ASA virtualization refers to the capability-to-Create multiple Virtual firewalls inside a single Cisco ASA. Before you can create these additional Security contexts and you must convert the ASA to multiple mode. Once you has done this and has defined your contexts, you can assign interfaces, administrators, and security policies to each context just as though it was an independent firewall device.
The following features is not supported in multiple mode with the different Virtual firewalls:
- IP Security (IPSec) VPNs and other IPsec services
- Secure Sockets Layer (SSL) VPNs
- Dynamic routing protocols
- Phone Proxy
- Threat detection
- Multicast IP Routing
System Configuration
Defines basic security settings for the Cisco ASA itself and are the entity that stores information about all the other SEC urity contexts. The system configuration also maintains the settings of the physical interfaces inside the Cisco ASA. As when running your ASA in a single mode of operation, the system configuration resides as the startup configuration in F Lash memory.
System context (Admin context)
The admin context is just. Except, a user logs in to this context, they has administrativ E Rights the Security contexts set up on the system.
The system configuration relies on the admin context to access interfaces that can pass traffic. Common uses of this special context is to retrieve configurations for other contexts
and to send System-level syslog messages. When you want to create new contexts or change the system on the any-, you-log in to the admin context. Note that the name of the the "This" context from the default of admin.
Part 2:virtual fireall Deployment Guidelines
You must plan carefully before implementing your Virtual firewalls. Be sure to determine the following:
- The number of security contexts you require: You'll use this information to create and name the security Contex TS you require. Note that the number of the Security contexts so can create depends on the type of license you have purchased with your Asa.
- The Configuration StorageFor each context: The options is Flash memory or external servers.
- The network topology information for your deployment: your need to carefully plan which interfaces would be Associa Ted with which Security contexts. You also need to plan for the IP addressing and routing to use inside each Security Context.
- The security policy used insideeach of the security contexts: this information could is quite elaborate and invo Lved, depending on the complexity of the network and the associated security policies.
Deployment Choices
When you were deciding whether to use Virtual firewalls, consider the following conditions that typically necessitate their Usage
- You have very distinct security policies this need to being assigned to different customers or different departments within Y Our enterprise network.
- You is an Internet service provider this needs to separate traffic from different customers.
- You is interested in providing robust redundancy in your firewall environment. The use of multiple Security contexts enables, the use of active/active failover.
Deployment guidelines
There is plenty of other important deployment guidelines you should consider before implementing a multiple mode Cisco as A with multiple Security contexts. Here is some of the most critical for your consider and memorize for the FIREWALL exam:
- The transparent mode option cannot is set on a per–security Context basis. If you need a transparent mode Security Context, all your other Virtual firewalls must also use transparent mode.
- When creating a transparent mode device, make the change first, and then create your Security contexts. If you create your security contexts first and then initiate the cutover to transparent mode, the Security contexts would b E removed.
- Only interfaces is supported in a Security Context running in transparent mode.
- GKFX interfaces cannot is used when the Security contexts is running in transparent mode.
- When using GKFX interfaces, ensure that's assign a unique MAC address to the interface in each context.
- Always consider the use of the context resource management to ensure, a single context cannot deplete all resources Availa ble on the Cisco ASA.
Limitations
Here is some of the most important limitations your should know regarding Virtual firewalls on the Cisco ASA:
- Key features that is not supported on a CISCO ASA in multiple mode is dynamic routing protocols, IPsec and SSL VPNs, Mul Ticast IP routing, threat Detection, and
- Phone Proxy.
- The Cisco ASA 5505 does not support multiple mode.
- The number of Security contexts you can create depends on the software license you possess and the Cisco ASA hardware mode L are using.
Part 3:configuration Tasks
When you were preparing to implement complex configurations on the Cisco ASA, it was valuable to examine a high-level overvi EW of the configuration process.
Step 1. Enable multiple mode on the Cisco ASA.
Step 2. Create a Security Context.
Step 3. Allocate interfaces to the context.
Step 4. Specify the startup configuration location for the context.
Step 5. Configure the Security Context resource management.
Step 6. Configure each security Context as a separate Security appliance.
1. Configuring Security Contexts
Single mode-Multiple mode:the changes would take place within the device:
- The Cisco ASA automatically creates a Security Context named admin.
- The running configuration of the device is converted-a system configuration for the admin Security Context. The file is stored as admin.cfg.
- The original running configuration is saved as old_running.cfg.
- Interfaces that were-enabled in single mode is added to the admin Security Context.
- Disabled interfaces at the time of conversion is not assigned to any Security Context.
Ciscoasa (config) # mode multiple noconfirm
Use the Mode command in global configuration mode. There is a noconfirm keyword option, makes the change without a confirmation request. This option was useful for automating the process with a script.
As mentioned previously, a new Security Context isn't operational until you specify the location for the Context startup Configuration. You specify the this location as a URL. Options include the following:
- Disk0/flash:stored in Flash memory
- Disk1:stored on a CompactFlash memory card
- tftp:stored on an external TFTP server
- ftp:stored on an external FTP server
- HTTP (s): Stored on a Web server or SSL Web server
Note:the Admin context must is stored on internal Flash (Disk0/flash:).
The CLI, use the context command to create a context and the allocate-interface command to provision The correct interfaces. Use the config-url command to specify the configuration file location.
2. Verifying secuirty contexts
When your is in the system execution space at the CLI, you can easily view a list of Security contexts on the system.
Show Context Context Name Interfaces URL*admin gigabitethernet0/1.100 disk0:/admin.cfg GigabitEthernet0/1.101contexta GigabitEthernet0/1.200 disk0:/Conte Xta.cfg GigabitEthernet0/1.201contextb GigabitEthernet0/1.300 Dis k0:/contextb.cfg GigabitEthernet0/1.3013
Note that a asterisk (*) to the left of the context name indicates the current admin context.
3. Managing Security Contexts
Managing a Security context is a matter of entering the context environment.
To change between contexts using the CLI with the changeto command in privileged mode. For example:
ciscoasa# Changeto Mycontext
Or
ciscoasa# Changeto System
Packet classification
When your Security contexts is in routed mode and is sharing interfaces across contexts, the Cisco ASA requires some met Hod for determining to which context it should send a packet. The ASA always checks for the following to does this:
- A Unique Interface
- A Unique MAC Address
- A global IP address in a NAT configuration
Remember, as stated earlier, using unique MAC addresses is recommended if your is in multiple mode with Transpare NT Mode Security contexts. You can change MAC addresses manually, or you can call upon the Cisco ASA to generate a unique MAC address for you.
Changing the Admin Context
To change the context. Is the admin context, with the admin-context command in privileged mode and simply spec Ify the name of the new admin context, as demonstrated here:
Ciscoasa (config) # Admin-context administrator
4. Configuring Resource Management
By default, a particular Security Context have unlimited access to the resources of the Cisco ASA. By engaging the powerful resource management capabilities, you can impose limits on the use of specific hardware resources Per Security Context. This was obviously an important aspect of Virtual Firewall implementation and can guard against malicious or accidental ISS UEs. Realize a single context which is depleting a large number of resources of the Cisco ASA can has an impact on all the Security contexts on the device.
You can configure resource limits for the following:
- Cisco ASDM Sessions
- Connections (both options, count and rate, is available)
- Hosts that can connect
- SSH Sessions
- Telnet Sessions
- Address Translations
- Rate of application inspections per second
- Rate of System log messages per second
- Number of MAC addresses allowed in the MAC address table
The Default Class
Resource Management for a multiple mode Cisco ASA requires the creation and configuration of Resource classes. You create and define resource classes and then assign Security
Contexts to these classes. By default, there was a resource class created on the Cisco ASA called the default class. This class has predefined limits, and every Security Context
There are created belongs to this class. Initially, when you create a new resource class, it'll inherit the settings of the default class.
Creating a New Resource Class
To configure a resource class at the CLI, simply use the class command. Use the limit-resource command to set resource limits. Finally, use the member command in context
Configuration mode to assign the resource class.
Hostname (config) #classgoldhostname (config-class) # Limit-resource Mac-addresses10000hostname (config-class) # Limit-resource Conns the%hostname (config-class) # Limit-resource Rate Conns +hostname (config-class) # Limit-resource Rate inspects -hostname (config-class) # Limit-resource Hosts9000hostname (config-class) # Limit-resource ASDM5hostname (config-class) # Limit-resource SSH5hostname (config-class) # Limit-resource Rate syslogs thehostname (config-class) # Limit-resource Telnet5hostname (config-class) # Limit-resource Xlates36000! And then later to make the context a member of theclass: hostname (config-CTX) # member Gold
Caution:do not assign more than percent of your resources across Security contexts. It is an up-to-plan and implement the available resources. The configuration
Software'll allow you to overallocate resources, resulting in poor performance and access to fewer resources than intend Ed.
Verifying Resource Management
hostname# Show Resource Allocationresource Total%of Availconns [rate]35000n/ainspects [Rate]35000n/asyslogs [Rate]10500n/Aconns305000 30.50%Hosts78842n/assh * 35.00%Telnet * 35.00%xlates91749n/Aall Unlimited
The Show Resource Usage command displays the resource usage for each context
5. Troubleshooting Security Contexts
Troubleshooting Cisco ASA Devices in multiple mode poses extra challenges that does not exist in single mode systems. Troubleshooting efforts'll often be split between time in
The system execution space and time in individual Security contexts. In the System configuration area, you'll often rely on the show context, show interface, and show resource usage commands. While in a particular context, you often simply need to use show interface.
A Common set of steps to, troubleshooting Security Context issues is as follows:
Step 1. Verify interface status in the system execution space; Use the no shutdown command as necessary.
Step 2. Verify interface status in a context environment. Use the no shutdown command as necessary.
Step 3. In the case of GKFX interfaces, ensure that packets can is classified properly into specific Security contexts. Perhaps need to create unique MAC addresses or properly configure NAT.
Step 4. Verify Resource usage.
Step 5. Troubleshoot within a security Context as if you were troubleshooting a standalone Security appliance. Refer to the ' Troubleshooting ' sections in other chapters of this book for guidance.
Note:the Cisco ASA Logs system messages when a context cannot pass traffic due to a resource limit. You should monitor for these messages carefully.
Virtual Firewalls (Security contexts)